The Minister of Electronics & Information Technology introduced the Digital Personal Data Protection Bill, 2023 (‘Bill’) on 3 August 2023[1], in the Lok Sabha. The Bill proposes a comprehensive framework for data protection in India, recognizing the right to protect personal data and the need to process such data for lawful purposes. The Bill is a successor to the Draft Digital Personal Data Protection Bill, 2022 (‘2022 Draft’) which was released by the Ministry of Electronics & Information Technology (‘MEITY’) in November 2022.
The Bill proposes the constitution of the Data Protection Board (‘DPB’ or ‘Board’), to function an independent digital office primarily dispensing an adjudicatory role, with rule-making powers[2] significantly vested in the Central Government.
The Bill is applicable to the processing of personal data of individuals to whom personal data relates[3] (‘Data Principals’) processed by entities which determine purposes and means of processing[4] (‘Data Fiduciaries’ or ‘Fiduciaries’) and those which process personal data on behalf of Data Fiduciaries[5] (‘Data Processors’ or ‘Processors’). While it is primarily applicable to processing of personal data in India, it also applies to processing outside India in connection with activities relating to offering of goods or services to Data Principals in India[6].
Key changes from the 2022 Draft
Exclusion of profiling: This is a notable exclusion particularly since the term ‘profiling’ has not been used or referred to under the provisions of the Bill. It is worth noting that while the 2022 Draft and earlier drafts proposed applicability of the Bill to processing of personal data outside India in connection with the profiling[7] of Data Principals within India, this is not expressly covered in the Bill. Instead, the Bill is applicable now only to processing outside India in connection with offering of goods or services to Data Principals within India, which was also present in the 2022 Draft. While it may be argued that profiling may constitute processing[8] under the ambit of the Bill, no additional safeguards or restrictions would apply to such profiling if performed outside India. However, any behavioural monitoring (which could be for the purpose of profiling) of children is restricted under the Bill[9], unless exempt[10].
Enhanced notice requirements: While the 2022 Draft proposed requirement to disclose description of personal data collected and purpose of processing, the Bill appears to have marginally enhanced such requirements to also include the manner in which Data Principals may exercise rights relating to withdrawal of consent[11], grievance redressal[12] and also require the procedure for filing a complaint with the Board to be specified in the notice.
Substitution of deemed consent with legitimate uses: It may be recalled that the 2022 Draft introduced the principle of ‘deemed consent’[13] where Data Principals voluntarily provided personal data in situations where such sharing was reasonably expected. The Bill now replaces the same with ‘legitimate uses’[14], which forms one of the grounds based on which personal data may be processed. Voluntarily providing personal data is covered as one of the instances where it may be relied upon for processing personal data. However, the Bill specifically states that for such voluntary sharing to be relied upon, the same has to be pursuant to a specified purpose[15], perhaps still maintaining notice requirements to be complied with.
Grandfathering provisions: In respect of personal data collected prior to the commencement of the Bill, it is clarified that Fiduciaries will be required to comply with the Notice Requirements[16], which was also provided in the 2022 Draft. Additionally, the Bill clarifies that Fiduciaries may continue to process such personal data until and unless the Data Principal has withdrawn consent in respect of the same[17]. This may reduce the compliance burden involving consent to be obtained afresh.
Processing of Children’s Personal Data: The Bill retains obligations relating to processing of personal data of children such as obtaining parental consent, protections against tracking, behavioural monitoring or targeted advertising which were seen in the 2022 Draft[18]. In addition, the Bill expands the ambit of a restriction provided under the 2022 Draft, to undertake processing likely to cause harm to a larger ambit of restricting processing resulting in detrimental effect on well-being of a child, from an erstwhile harm construction which was limited to a more narrow ambit involving bodily, identity, harassment or prevention of lawful gain or significant loss[19].
The proposed Bill also creates an exemption framework from certain aforesaid requirements in the following manner:
- Similar to the 2022 Draft[20], the Government is proposed to retain the power to exempt certain classes of Fiduciaries or specify purposes for which exemptions may be provided, subject to conditions[21], which may be prescribed[22];
- In addition to the above, the Government may also exempt (and extend an age leverage) for notified processing by Fiduciaries whose processing has been determined to be ‘verifiably safe’ based on an assessment of appropriate factors by the Government. While there is no clarity on the nature or grounds of assessment, the Ministry of Women & Child Development reportedly[23] may also be jointly tasked with such assessment.
Data Subject Rights: Similar to the 2022 Draft, the proposed Bill grants the following rights to Data Principals rights to access information, correction, erasure and updation, grievance redressal and nomination. Some of the key changes proposed with regard to data subject rights under the Bill include:
- The right to access information is limited to personal data being processed by the Fiduciary[24] and does not extend to personal data that has been processed provided under the 2022 Draft[25];
- The right to access has been extended to include details of data processors[26] with whom information has been shared;
- Exemptions have been carved out from applicability of right to access, to provide for the sharing of personal data by a Data Fiduciary with other Fiduciaries pursuant to prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences[27];
- Data Principals must exhaust opportunities of grievance redressal prior to approaching the Board[28].
Cross-border transfers: In line with the reportage[29], the proposed Bill adopts a ‘black-list’ approach by enabling the Government to restrict transfers of personal data to countries or territories notified by the Government from time to time. It is also clarified in this regard, that this provision would not restrict laws that may provide for a higher degree of protection or restriction on transfer of personal data in relation to any personal data or Fiduciary[30]. This is intended to refer to sector-specific legislation, such as those related to payment system data[31], insurance records[32], the restrictions under which would still apply.
Further, exemptions from applicability of certain provisions (including cross-border transfers) have been extended to processing necessary for corporate restructuring transactions approved by a court or tribunal or other authority[33], apart from processing for debt recovery[34].
Exemptions for Startups: In addition to exemptions pertaining to State and its instrumentalities, research and statistical purposes, certain provisions of the Bill are also proposed to be exempt to startups[35]. Separately, the Government is also empowered to exempt classes of Fiduciaries from certain provisions during the transitory period, which may not extend beyond 5 (five) years[36].
Structure of the Data Protection Board: The Bill conceptualizes the Board as a body corporate having perpetual succession. While the headquarters of the Board would be determined by the Government, it is anticipated to be a ‘digital office’[37]. The composition of the Board (with at least one legal expert[38]), nature of qualifications, terms of appointment, removal, resignation of chairperson and members, powers and functions and procedures of the Board have been laid out in greater detail.
Changes in Adjudication of Disputes: The Bill proposes certain changes to the process concerning adjudication of disputes. Some of the key changes proposed include:
- The Bill provides that the Board may impose monetary penalties specified in the Schedule, however, an earlier reference pertaining to a maximum penalty of Rs. 500 crores, present under the 2022 Bill[39], has been dropped from the Bill; and
- Appeals from the Board would lie to the Telecom Disputes Settlement and Appellate Tribunal[40] (‘TDSAT’) within a 60-day period[41] from receipt of decision of the Board.
The Government has been vested with significant powers under the Bill, however, certain aspects of the Bill also have an interface with Information Technology Act, 2000 (‘IT Act’), Intermediaries Guidelines[42] and Blocking Rules[43] as outlined below:
Information solicitation: At the outset, the Bill provides that the Central Government is empowered to require the Board or any Fiduciary or intermediary[44] to furnish such information that it may call[45]. Ostensibly drawn up from the Personal Data Protection Bill, 2019[46] (‘2019 Draft’), this provision remains unclear.
The provision does not provide any guidance or details around information that may be solicited (including whether it would amount to personal data or anonymized or non-personal data, as seen in case of the 2019 Draft), purposes of soliciting such data, grounds of such solicitation and any remedies available with Fiduciaries or intermediaries. It will have to be seen if such provision may pass muster of the Puttaswamy’s[47] triple test.
Blocking of Information: In addition to information blocking, the Government may also inter-link the Bill to Blocking Rules. While the Board itself would not have powers to block information or resources, it may refer to the Central Government, in the event that any Data Fiduciary under consideration who has been imposed with a monetary fine on more than two instances and advise the Government in the ‘interests of the general public’ blocking of access to computer resources that enable the Fiduciary to carry on business of offering goods or services to residents in India.
Based on the above, the Government may, after giving an opportunity of being heard, direct agencies or intermediaries to block such information[48], which direction is binding upon such intermediaries[49].Apart from the above, the Bill does not provide elaborate details or procedures based on which such reference to blocking may be recommended by the Board or accepted by the Government. Ostensibly, this remedy may address risks of continuing operations that may expose the personal data maintained with the contravening Data Fiduciary, to significant risks. In any case, such reference made to the Government is subject to a right to be heard[50], and the safeguards provided under the Blocking Rules[51].
The Bill presents a unique approach for regulating personal data processing by Fiduciaries, and Processors by extension, with identified grounds for processing personal data, specific requirements around consent, recognition of additional obligations for processing children’s data and classification of significant data fiduciaries, apart from providing data subject rights and specific provisions relating to transfer.
While a nimble framework may be suitable for the legislation to remain dynamic to the advances in technology and processing, certain aspects of the Bill such as solicitation of information and blocking powers may necessitate a revisitation. As the Bill is staged for debate and consideration in the near-future, it remains unclear if this version of the proposed legislation may see the light of the day.
[The authors are Executive Partner and Senior Associate in Data Protection and TMT practice of Lakshmikumaran & Sridharan Attorneys at New Delhi and Hyderabad, respectively]
***
[1] Bulletin Part – I dated August 3, 2023, available at https://sansad.in/getFile/bull1mk/17/XII/03082023.pdf?source=loksabhadocs
[2] Clause 40, Digital Personal Data Protection Bill, 2023.
[3] Clause 2(j), Digital Personal Data Protection Bill, 2023.
[4] Clause 2(i), Digital Personal Data Protection Bill, 2023.
[5] Clause 2(k), Digital Personal Data Protection Bill, 2023.
[6] Clause 3, Digital Personal Data Protection Bill, 2023.
[7] Clause 4(2), Digital Personal Data Protection Bill, 2022.
[8] Clause 2(x), Digital Personal Data Protection Bill, 2023.
[9] Clause 9(3), Digital Personal Data Protection Bill, 2023.
[10] Clause 9, Digital Personal Data Protection Bill, 2023.
[11] Clause 6(4), Digital Personal Data Protection Bill, 2023
[12] Clause 13, Digital Personal Data Protection Bill, 2023.
[13] Clause 8, Digital Personal Data Protection Bill, 2022.
[14] Clause 7, Digital Personal Data Protection Bill, 2023.
[15] Clause 2(za), Digital Personal Data Protection Bill, 2023.
[16] Clause 6(2), Digital Personal Data Protection Bill, 2022.
[17] Clause 5(2)(b), Digital Personal Data Protection Bill, 2023.
[18] Clause 10, Digital Personal Data Protection Bill, 2022.
[19] Clause 2(10), Digital Personal Data Protection Bill, 2022.
[20] Clause 10(4), Digital Personal Data Protection Bill, 2022.
[21] Clause 9(4), Digital Personal Data Protection Bill, 2023.
[22] Clause 40(2)(j), Digital Personal Data Protection Bill, 2023.
[23] Data Bill may lower age of consent, available at https://economictimes.indiatimes.com/tech/technology/data-bill-may-give-govt-power-to-lower-the-age-of-consent/articleshow/101647708.cms?from=mdr
[24] Clause 11(1)(a), Digital Personal Data Protection Bill, 2023.
[25] Clause 12(2), Digital Personal Data Protection Bill, 2022.
[26] Clause 11(1)(b), Digital Personal Data Protection Bill, 2023.
[27] Clause 11(2), Digital Personal Data Protection Bill, 2023.
[28] Clause 13(3), Digital Personal Data Protection Bill, 2023.
[29] Negative List for data transfer in works, available at https://economictimes.indiatimes.com/tech/technology/india-may-blacklist-some-nations-to-stop-data-flow-mos-it/articleshow/98829328.cms?from=mdr
[30] Clause 16(2), Digital Personal Data Protection Bill, 2023.
[31] Storage of Payment System Data Circular dated April 6, 2018, available at https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11244&Mode=0
[32] Regulation 3(7), IRDAI (Maintenance of Insurance Records) Regulations, 2015.
[33] Clause 17(1)(e), Digital Personal Data Protection Bill, 2023.
[34] Clause 17(1)(f). Digital Personal Data Protection Bill, 2023.
[35] Explanation to Clause 17(3) defines startup as ‘a private limited company or a partnership firm or a limited liability partnership incorporated in India, which is eligible to be and is recognised as such in accordance with the criteria and process notified by the department to which matters relating to startups are allocated in the Central Government’.
[36] Clause 17(5), Digital Personal Data Protection Bill, 2023.
[37] Clause 2(m), Digital Personal Data Protection Bill, 2023.
[38] Clause 19(3), Digital Personal Data Protection Bill, 2023.
[39] Clause 25(1), Digital Personal Data Protection Bill ,2022.
[40] Clause 29(1), Digital Personal Data Protection Bill, 2023.
[41] Clause 29(2), Digital Personal Data Protection Bill, 2023.
[42] Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
[43] Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009.
[44] Section 2(1)(w), Information Technology Act, 2000.
[45] Clause 36, Digital Personal Data Protection Bill, 2023.
[46] Clause 91, Digital Personal Data Protection Bill, 2022.
[47] Justice K. S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
[48] Clause 37(1), Digital Personal Data Protection Bill, 2023.
[49] Clause 37(2), Digital Personal Data Protection Bill, 2023.
[50] Clause 37, Digital Personal Data Protection Bill, 2023.
[51] Information Technology (Procedure & Safeguards for Blocking for Access of Information by Public) Rules, 2009.
